XACML w/ OpenID Connect, SAML, OAuth and SCIM

| No Comments

At the end of Paul Madsen's presentation at CIS a couple weeks ago, he ended with a question that he also posed on Twitter:

XACML is like a fly in the ointment of  SAML, OAuth, OpenID, SCIM and the other related security standardsThe integration of SAML, OAuth, OpenID Connect, SCIM, and other neosecurity standards are relatively straightforward. The fly in the ointment though is XACML. How does it fit w/ all these other security specs? Matt Topper offered his thoughts in reply to Paul's tweet:

When I borrowed a similar deck from Paul for a recent presentation in London, I left off w/ the same question. I was followed that day by David Brossard, VP of Product Management at Axiomatics, a company specializing in XACML who we've since partnered w/. Him and I talked about Matt's point in the blogosphere a couple years ago and discussed these things more that day. After all these conversations and time, let me try to summarize my current thinking on how XACML integrates with protocols like SAML, OAuth, and OpenID Connect.

Cloud Security Standards

| No Comments

A few months ago at the Cloud Identity Summit (CIS) in London, I gave a presentation on the emerging standards that enable secure access to cloud APIs. The collection of protocols that form the neosecurity stack that I talked about are Simple Cloud Identity Management (SCIM), SAML, OpenID Connect, OAuth 2, and the JSON-based Identity Protocol Suite (JOSE and JWT). These security protocols are quite new (save SAML), and many attendees had not heard of some of them. They are very important for those implementing APIs and SaaS applications though, so I wanted to explain them in a bit more detail.

OpenID Connect and OAuth 2

These two protocols are a really big deal. Together, they provide authentication and delegated access to APIs, respectively.

OpenID Connect is essentially the third version of OpenID. It is a complete rewrite of the protocol and is not compatible with previous versions. It is an HTTP-based protocol that allows apps to authenticate users in foreign security realms. In this way, it provides SSO. Unlike other protocols like SAML and WS-Federation that solve the same problem, OpenID Connect provides the following unique benefits and features:

  • Built atop OAuth 2 which is much simpler to implement than prior versions of that spec
  • Designed with native mobile apps and HTML 5 Web apps in mind
  • Designed to achieve higher Levels of Assurance (LoA)
  • RESTful in nature, providing all the benefits of that modern design paradigm
  • Low tech barrier that requires little more than HTTP and JSON support

For more info on OpenID Connect, see the OpenID Foundation's Web site. We'll be blogging about the importance and benefits of OAuth 2 in some of our upcoming posts. Connect on Twitter if you are curious before then.

Helping Secure the Cloud and Mobile

| No Comments

In my last post, I talked about the new research out from AMD wherein security is said to still be the number one concern that cloud computing adopters have. To address these risks, I talked about how existing Identity and Access Management (IAM) practices, procedures, and infrastructure need to be extended to include these new cloud services. In this way, organizations can determine how best to answer the questions who are you and what are you allowed to do. The first can be done by reusing existing authentication systems and federating the identified users to the cloud; the latter can be done by provisioning authorization policies into the sky for enforcement and by pulling back cloud audit logs for centralized analysis.

At Twobo, we are helping organizations in all industries ensure that their Identity Management (IdM) services can secure on-premises systems as well as public, private, and hybrid clouds. We deliver this help in the following ways:

  1. Advice, knowledge, and expertise gained from years of developing and supporting IAM systems and from working w/ numerous organizations worldwide in the adoption of cloud computing.
  2. Pre-integrated, best of breed software from leading vendors in the field of cloud security, including Ping Identity, Axiomatics, UnboundID, and others.
  3. Integration of these and other applications into world-class production systems that scale to millions of users and thousands of apps.
  4. Management and support services needed to ensure peak performance of the critical cloud identity management solutions organization create from such knowledge and products.

Our years of experience building software in high-security industries have conditioned the way we think about mobile and the cloud. Our deep knowledge of digital identity coupled with our past experiences allows us to help organizations that are struggling to overcome the risks associated with today's hyper distributed software systems. By meeting with over a hundred organizations in all industries around the world in the last two years alone, we have seen the common struggles resulting from cloud and mobile computing adoption. We have helped these companies overcome the barriers, and have devised workable solutions based on exclusive knowledge and partnerships with specialized security software vendors that address the security concerns of the cloud's naysayers.

In our upcoming blog posts, we'll explain more about how we're helping our customers and share more about our experiences building secure information systems. Till then, please feel free to contact us, leave a comment, or DM us on Twitter to find out more about how we can help you secure the cloud and your mobile apps.

Enveloping the Cloud in Your IAM Cocoon

Security is the primary concern when adopting cloud computingMore and more organizations are adopting cloud computing due to economic pressures, increasingly mobile workforces which require data access from anywhere, and other well known reasons. As AMD recently pointed out in their global study on the matter, the primary concerns adopters have is around security, as they depicted in a handy infographic. Security for the cloud has been the major critique since its inception. Due to the many successful uses of this new computing paradigm, even the skeptics are starting to change their tune.

As Richard Walters pointed out in his recent article on The Data Chain, "Extending security policy enforcement, access control and auditing is the best route to enabling BYOD and SaaS." I completely agree that organizations need to extend existing IAM procedures and infrastructure to encompass new cloud services in order to secure them. I presented on this very idea over a year ago for one of our partners, Ping Identity. As I said then, an important prerequisite to being able to expand entitlement management and audit solutions to the cloud is the extension of the other key components of identity management, namely authentication, federation, and provisioning. The combined use of all aspects of Identity and Access Management (IAM) help address many of the security issues w/ cloud computing and mobile computing.

To see how this cocoon can be spun around the cloud, let me describe how existing IAM capabilities can be used within this new form of computing.